Contra Costa Health Plan (CCHP) is sending notifications to patients to alert them that some of their protected health information (PHI) has been exposed and has potentially been accessed by an unauthorized individual.

On December 1, 2014, a contractor began working for CCHP to provide utilization management services and was provided with access to the systems that contained health plan records. On May 22, 2018, CCHP found out the contractor used a fake identity to win the contracts. When the fraud was discovered, CCHP ended the contract and terminated her system access. A complete review of the contractor’s activities was conducted to determine whether plan members’ data were viewed.

The review showed the contractor did access plan members’ health plan records while performing her utilization management responsibilities, but there was no evidence uncovered that suggested the contractor further disclosed any of the records or misused plan members’ data.

The types of data that the contractor accessed included names, telephone numbers, addresses, birth dates, medical data, prescription details, and Social Security numbers.

CCHP notified California’s Department of Health Care Services about the incident, which advised CCHP to send notifications to all plan members whose data had been viewed. Those people were given free credit monitoring, identity theft protection, and identity restoration services as a safety precaution.

Ramsey County Social Services Data Breach Reported

Ramsey County Social Services based in St. Paul, MN, suffered a phishing attack on August 9, 2018, involving 28 employees’ email accounts.

After accessing the email accounts, the attackers tried to reroute employees’ salaries. Immediate action was taken to stop the attack and secure the email accounts. A data security company was called in to conduct a comprehensive investigation of the incident.

On October 12, 2018, the data security company informed Ramsey County Social Services that the hackers’ potentially viewed email messages in the accounts and potentially accessed the PHI of around 500 patients, the majority of of whom used the agency’s mental health and chemical services.

The accounts contained the following types of information: Names, birth dates, addresses, Social Security numbers, and some medical data. Patients impacted by the breach received notifications in early December. At the time of issuing notifications, no reports had been received that indicate any PHI has been misused.

To better secure employee email accounts, a tool has been used to enforce the use of strong passwords and multi-factor authentication has been implemented. New security software was likewise installed that allows Ramsey County Social Services to monitoring email accounts more closely for unauthorized access. Further training has also been provided to all employees.